Bah, Storm.

I'd like to thank everyone who wrote in with the updates, CME711 is now using a Happy New Year theme. I would have posted earlier, but I promised the family a full day of Non-Digital happiness and it was truly a white Christmas.

Nothing sexy about this latest run, pretty crappy workmanship. It was an obvious after thought. It probably pissed off the botrunner that so many people were able to catch on to his Naughty Santa theme, so he produced a text only front page:

Happy New Year!

Your download should begin shortly. If your download does not start in approximately 15 seconds, you can (happy2008.exe) click here to launch the download and then press Run. Enjoy!

Hardly worth a post, except to exclaim how pathetic it looks. Certainly not the experience we've seen from these guys in exploits past. The domain was even registered December 23rd, such poor planning. Not an encoded javascript in sight. I wonder how much money these guys are paying their graphic designers. Certainly more than they're making. Even second rate script rats should think twice before getting in bed with these goons - they're too famous.

So, the domain? uhavepostcard.com. (also happycards2008.com)
Are the others still resolving? Yup.
Which binaries still work? stripshow.exe sony.exe happy2008.exe (update: happy-2008.exe)
Should the offenders be strung up by their toes and fed spoiled eggnog for 30 days? ;)

I sincerely hope that everyone else had a wonderful holiday, and for my New Years wish, I'd like a picture of the CME711 weenies drinking well expired eggnog. I'd also settle for another wonderful day with the family, as it was today.

Storm/Peed email template change

The storm authors have slightly altered their egreeting template, the most recent looks like this:

Family member has created a postcard for you at postcards.com,
the Internet's most popular greeting card service.

Your greeting card ID is: (HEX STRING)

To see your custom greeting card, simply click on the link below:
http://xx.xx.xxx.xxx/?(HEX STRING FROM ABOVE)

Send greeting cards from postcards.com whenever you want by visiting us at:
http://postcards.com/
Copyright (c) 1996-2007 postcards.com All Rights Reserved

The postcard.com links are valid pointers.

Paul got this one over the weekend:

Neighbour(secretariaat.antwer ...@libertysurf.fr) has created Animated postcard for you
at yourgreeting.com.

To see your custom Animated postcard, simply click on the following
Internet address (if your mail program doesn't support this feature
you will need to COPY and PASTE the address into your browser's address box):

http://xxx.xxx.xxx.xxx/?089c03307ff04a3fcb36edbf088
Send a FREE greeting card from yourgreeting.com whenever you want by visiting us at:
http://yourgreeting.com/
This service is provided and hosted by yourgreeting.com.

E-Greetings ... Yes, they are pare of stormworm/peacom/peed.

Many of you may have already received email like this:

Hi. School mate has sent you a postcard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your
card's direct www address below while you are connected to the Internet:

http ://127.0.0.1/? 5b23933165b19d3383b4c009ee64d82c3a9ebee

Or copy and paste it into your browser's "Location" box (where Internet
addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Mail Delivery System,
hallmark.com

We've certainly noticed them hitting our email drops. The link points to ecard.exe, or another binary file. To date we've captured over 6,500 unique binaries related to this spam. (Full list available here.)

Once downloaded this bot will then make connections to other peers on the storm network. There are over 250 hard coded peers in the list, however many appear to be red herrings, so I will not post the list here until I can confirm each and every one.

Selected drones are turned into proxy spreaders. Which means they proxy a connection to the 'main' server (located at: 205.209.X.X).

I'm working with Shadowserver to get the binaries mass submitted to their anti-virus check service. A spot check of 15 random binaries yielded pretty much the same results:

AhnLab-V2, Authentium, Avast, AVG, ClamAV, eTrust-Vet, Ewido, FileAdvisor, F-Prot, F-Secure, McAfee, Norman, Panda, Symantec, TheHacker, VBA32, and VirusBuster were UNABLE to identify the binary at all.

Several other engines identified it as 'suspicious'. The most consistant results came from: (in order) Bitdefender, Nod32, Sophos, Kaspersky and Microsoft.

Please be extra careful clicking on links in email, even from trusted parties!